Problems with Port Forwarding for RDP in WebVPN

Hi,
I'm hoping somebody can help me solve this problem that's been bugging for weeks. We recently implemented a double-layer firewall architecture. Before that, our users can access RDP via port forwarding on WebVPN or the Cisco VPN client without any problems.
After we implemented the double-layer firewall architecture, users who are going through the WebVPN and port forwarding for RDP began to experience frequent disconnections, slowness or freezing connections. The users who are using the client are fine.
I checked the logs and I'm getting repetitive TCP-O for the port forwarding connections for RDP. Additional information: the FW we installed as a 2nd layer is Netscreen. I've already set the policy on it to Any-Any for the meantime to help in troubleshooting but to no avail. 
I hope somebody can help me in sorting this out as I'm kind of confused on the difference between the port-forwarding for RDP via the WebVPN and the normal RDP via the client.  

Hi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni

Similar Messages

  • HELP!! asa 5505 8.4(5) problem with port forwarding-smtp

    Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa  to my mail server.
    my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
    When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
    below is my config file , any help would be appreciated
    Result of the command: "show running-config"
    : Saved
    ASA Version 8.4(5)
    hostname ciscoasa
    domain-name domain.local
    enable password mXa5sNUu4rCZ.t5y encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group ISPDsl
    ip address 80.80.80.80 255.255.255.255 pppoe setroute
    ftp mode passive
    dns server-group DefaultDNS
    domain-name domain.local
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network Server_SMTP
    host 10.0.0.2
    access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    object network obj_any
    nat (inside,outside) dynamic interface
    object network server_SMTP
    nat (inside,outside) static interface service tcp smtp smtp
    nat (inside,outside) after-auto source dynamic any interface
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    vpdn group ISP request dialout pppoe
    vpdn group ISP localname [email protected]
    vpdn group ISP ppp authentication chap
    vpdn username [email protected] password *****
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
    : end

    Hi Jennifer
    I have removed that nat line as suggested but still no joy.
    here is my current config
    Result of the command: "show running-config"
    : Saved
    ASA Version 8.4(5)
    hostname ciscoasa
    domain-name domain.local
    enable password mXa5sNUu4rCZ.t5y encrypted
    passwd 2KFQnbNIdI.2KYOU encrypted
    names
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.0.0.1 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    pppoe client vpdn group ISP
    ip address 80.80.80.80 255.255.255.255 pppoe setroute
    ftp mode passive
    dns server-group DefaultDNS
    domain-name domain.local
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network Server_Mail
    host 10.0.0.2
    access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
    pager lines 24
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    object network obj_any
    nat (inside,outside) dynamic interface
    object network Server_Mail
    nat (inside,outside) static interface service tcp smtp smtp
    access-group outside_access_in in interface outside
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    http server enable
    http 10.0.0.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 5
    ssh timeout 5
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    vpdn group ISP request dialout pppoe
    vpdn group ISP localname [email protected]
    vpdn group ISP ppp authentication chap
    vpdn username [email protected] password *****
    dhcpd auto_config outside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
    : end
    also here is the packet trace
    and my acl
    Thanks

  • Problem with Port Forwarding in WRT320N

    Good day.
    I have a web-server and Internet-radio translator to local network of my provider. And I found a problem with Port Forwarding. I'm trying to setup 80 & 8000 ports to forward. And it's working but only for Internet, without provider's local network. My web-server isn't accessible in local network and radio-translator too. 
    So is it possible to forward ports absolutely - for any type of connections? 
    P.S. DMZ is working like Port Forwarding.

    If you ask questions you have to mention that you have an PPTP connection to the internet and another network directly on the internet port. Otherwise noone will really understand your question as it is a very unusual setup.
    Your setup is not one really supported by the router. You are lucky that it works but don't expect too much. Port forwarding only the internet connection. If you use PPTP the network on the internet port is basically hidden. Using that local network on the internet port is not supported.
    The DMZ host is the IP address to which all ports are forwarded to which are not forwarded otherwise. The same restriction applies here.
    I would recommend to ask your ISP which router they recommend for their internet connection. I think most/all Linksys routers and many other brand's consumer routers won't really support a setup like yours...

  • Problem with Port Forwarding (when PPTP is up) in WRT-160N

    Hi, everybody!
    I'm looking for some help with Port Forwarding in my new router from Linksys. I've bought the router afew daysago, and was badly surprised when I found out that there is DD-WRT firmware is installed in it (the router was 100% NEW when I've purchased it). I have downloaded the latest original Linksys firmware file and successfully flashed it.
    But I still have problem (same I had on DD-WRT firmware too) with port forwarding for my DC++ and Vuze (app for torrents): I've written port forward for ports 49151 (for Vuze) and 4000 (for DC++) to be forwarded to my desktop computer (IP 192.168.1.201) -- I've seen a post at this forum, that there could be a problem, if you forward to an IP, which is inside DHCP local zone, so I've forwarded it to .201 IP (my local DHCPzone is 192.168.1.100 - .149). But forwardind doesn't work ((
    What's wrong?
    My configuration:
    Router IP: 192.168.1.1
    PPTP (I've got it from my ISP)
    IP address: 192.168.226.127
    Default Gateway: 192.168.226.2
    DNS 1: 192.168.1.1
    DNS 2 & 3: 0.0.0.0
    PPTP Server IP Address: 192.168.226.2
    Username: ****
    Password: ****
    Single Port Forwarding:
    Application name     External port     Internal port     Protocol     To IP address     Enabled
    Vuze                       49151               49151             Both           192.168.1.201    Checked
    DC                          4000                 4000              Both           192.168.1.201    Checked
    Solved!
    Go to Solution.

    As you have mentioned in your post that your ISP has provided you a PPTP connection with an IP address: 192.x.x.x. The IP address which is provided to you by your ISP is in a Private Range, and if you try to forward any ports on your router it will not work, as your ISP modem will block that port. So you need to get a Public IP address from your ISP.
    As you are getting Private IP from your ISP, so this connection is called as NAT behind NAT, and your Modem is acting like a Router. 
    So now you have 2 options, get the Public IP address from your ISP or change the connection type. 

  • Help with port forwarding for the WRT54G

    I need assistance please!
    I am having issues trying to setup port forwarding for a ftp. I already have set this up for a SQL Server port and it works remotely. When I setup another rule for ftp using port range 20-21 it does not work.
    I have confirmed that I have saved my settings, have the correct IP address, etc. I have firmware version 4.21.1 and not sure how to troubleshoot this. Any help would be great.
    Thanks,
    John

    Yes you do need to have the port already forwarded for port 20~21 with both TCP/IP and UDP enabled unless you know for sure your ftp only uses just one of them.  That is why I asked what port your SGL was set to.  Follow the link that other guy posted and open port 20 and 21 (I only use 21 with no problems) and make sure it is directed to the IP of the ftp host.  Also that PC needs to have the FTP enabled in windows.  To do that go to your control panel > add/remove software > and on the left side go to add/remove windows components.  Then check the box for the ftp and add it.  It should ask for your windows CD do have it handy when you add the ftp component to your PC.
    Richard Aichner (Ikester)

  • Port Forwarding for RDP 3389 is not working

    Hi,
    I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20).  I have made sure it is not an issue with the servers firewall, its just the cisco.  I highlighted in red to what i thought I need in my config to get this  to work.  I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
    TAMSATR1#show run
    Building configuration...
    Current configuration : 11082 bytes
    version 15.2
    no service pad
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    hostname TAMSATR1
    boot-start-marker
    boot system flash:/c880data-universalk9-mz.152-1.T.bin
    boot-end-marker
    logging count
    logging buffered 16384
    enable secret
    aaa new-model
    aaa authentication login default local
    aaa authentication login ipsec-vpn local
    aaa authentication login ciscocp_vpn_xauth_ml_1 local
    aaa authorization console
    aaa authorization exec default local
    aaa authorization network groupauthor local
    aaa session-id common
    memory-size iomem 10
    clock timezone CST -6 0
    clock summer-time CDT recurring
    crypto pki token default removal timeout 0
    crypto pki trustpoint TP-self-signed-1879941380
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1879941380
    revocation-check none
    rsakeypair TP-self-signed-1879941380
    crypto pki certificate chain TP-self-signed-1879941380
    certificate self-signed 01
      3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
      32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
      34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
      ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
      88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
      E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
      542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
    ip dhcp excluded-address 10.20.30.1 10.20.30.99
    ip dhcp excluded-address 10.20.30.201 10.20.30.254
    ip dhcp excluded-address 10.20.30.250
    ip dhcp pool tamDHCPpool
    import all
    network 10.20.30.0 255.255.255.0
    default-router 10.20.30.1
    domain-name domain.com
    dns-server 10.20.30.20 8.8.8.8
    ip domain name domain.com
    ip name-server 10.20.30.20
    ip cef
    no ipv6 cef
    license udi pid CISCO881W-GN-A-K9 sn
    crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
    ip tftp source-interface Vlan1
    class-map type inspect match-all CCP_SSLVPN
    match access-group name CCP_IP
    policy-map type inspect ccp-sslvpn-pol
    class type inspect CCP_SSLVPN
      pass
    zone security sslvpn-zone
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp policy 20
    encr aes 192
    authentication pre-share
    group 2
    crypto isakmp key password
    crypto isakmp client configuration group ipsec-ra
    key password
    dns 10.20.30.20
    domain tamgmt.com
    pool sat-ipsec-vpn-pool
    netmask 255.255.255.0
    crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
    crypto ipsec transform-set TSET esp-aes esp-sha-hmac
    crypto ipsec profile VTI
    set security-association replay window-size 512
    set transform-set TSET
    crypto dynamic-map dynmap 10
    set transform-set ipsec-ra
    reverse-route
    crypto map clientmap client authentication list ipsec-vpn
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    interface Loopback0
    ip address 10.20.250.1 255.255.255.252
    ip nat inside
    ip virtual-reassembly in
    interface Tunnel0
    description To AUS
    ip address 192.168.10.1 255.255.255.252
    load-interval 30
    tunnel source
    tunnel mode ipsec ipv4
    tunnel destination
    tunnel protection ipsec profile VTI
    interface FastEthernet0
    no ip address
    interface FastEthernet1
    no ip address
    interface FastEthernet2
    no ip address
    interface FastEthernet3
    no ip address
    interface FastEthernet4
    ip address 1.2.3.4
    ip access-group INTERNET_IN in
    ip access-group INTERNET_OUT out
    ip nat outside
    ip virtual-reassembly in
    no ip route-cache cef
    ip route-cache policy
    ip policy route-map IPSEC-RA-ROUTE-MAP
    duplex auto
    speed auto
    crypto map clientmap
    interface Virtual-Template1
    ip unnumbered Vlan1
    zone-member security sslvpn-zone
    interface wlan-ap0
    description Service module interface to manage the embedded AP
    ip unnumbered Vlan1
    arp timeout 0
    interface Wlan-GigabitEthernet0
    description Internal switch interface connecting to the embedded AP
    switchport mode trunk
    no ip address
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
    ip address 10.20.30.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    ip tcp adjust-mss 1452
    ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
    ip default-gateway 71.41.20.129
    ip forward-protocol nd
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip dns server
    ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
    ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
    ip nat inside source static 10.20.30.20 (public ip)
    ip route 0.0.0.0 0.0.0.0 public ip
    ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
    ip access-list extended ACL-POLICY-NAT
    deny   ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
    deny   ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
    deny   ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
    permit ip 10.20.30.0 0.0.0.255 any
    permit ip 10.20.31.208 0.0.0.15 any
    ip access-list extended CCP_IP
    remark CCP_ACL Category=128
    permit ip any any
    ip access-list extended INTERNET_IN
    permit icmp any any echo
    permit icmp any any echo-reply
    permit icmp any any unreachable
    permit icmp any any time-exceeded
    permit esp host 24.153. host 66.196
    permit udp host 24.153 host 71.41.eq isakmp
    permit tcp host 70.123. host 71.41 eq 22
    permit tcp host 72.177. host 71.41 eq 22
    permit tcp host 70.123. host 71.41. eq 22
    permit tcp any host 71..134 eq 443
    permit tcp host 70.123. host 71.41 eq 443
    permit tcp host 72.177. host 71.41. eq 443
    permit udp host 198.82. host 71.41 eq ntp
    permit udp any host 71.41. eq isakmp
    permit udp any host 71.41eq non500-isakmp
    permit tcp host 192.223. host 71.41. eq 4022
    permit tcp host 155.199. host 71.41 eq 4022
    permit tcp host 155.199. host 71.41. eq 4022
    permit udp host 192.223. host 71.41. eq 4022
    permit udp host 155.199. host 71.41. eq 4022
    permit udp host 155.199. host 71.41. eq 4022
    permit tcp any host 10.20.30.20 eq 3389
    evaluate INTERNET_REFLECTED
    deny   ip any any
    ip access-list extended INTERNET_OUT
    permit ip any any reflect INTERNET_REFLECTED timeout 300
    ip access-list extended IPSEC-RA-ROUTE-MAP
    deny   ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
    deny   ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
    deny   ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
    deny   ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
    deny   ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
    deny   ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
    permit ip 10.20.30.208 0.0.0.15 any
    deny   ip any any
    access-list 23 permit 70.123.
    access-list 23 permit 10.20.30.0 0.0.0.255
    access-list 24 permit 72.177.
    no cdp run
    route-map IPSEC-RA-ROUTE-MAP permit 10
    match ip address IPSEC-RA-ROUTE-MAP
    set ip next-hop 10.20.250.2
    banner motd ^C
    UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
    You must have explicit permission to access or configure this device.  All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
    ^C
    line con 0
    logging synchronous
    line aux 0
    line 2
    no activation-character
    no exec
    transport preferred none
    transport input all
    line vty 0
    access-class 23 in
    privilege level 15
    logging synchronous
    transport input telnet ssh
    line vty 1 4
    access-class 23 in
    exec-timeout 5 0
    privilege level 15
    logging synchronous
    transport input telnet ssh
    scheduler max-task-time 5000
    ntp server 198.82.1.201
    webvpn gateway gateway_1
    ip address 71.41. port 443
    http-redirect port 80
    ssl encryption rc4-md5
    ssl trustpoint TP-self-signed-1879941380
    inservice
    webvpn context TAM-SSL-VPN
    title "title"
    logo file titleist_logo.jpg
    secondary-color white
    title-color #CCCC66
    text-color black
    login-message "RESTRICTED ACCESS"
    policy group policy_1
       functions svc-enabled
       svc address-pool "sat-ipsec-vpn-pool"
       svc default-domain "domain.com"
       svc keep-client-installed
       svc split dns "domain.com"
       svc split include 10.0.0.0 255.0.0.0
       svc split include 192.168.0.0 255.255.0.0
       svc split include 172.16.0.0 255.240.0.0
       svc dns-server primary 10.20.30.20
       svc dns-server secondary 66.196.216.10
    default-group-policy policy_1
    aaa authentication list ciscocp_vpn_xauth_ml_1
    gateway gateway_1
    ssl authenticate verify all
    inservice
    end

    Hi,
    I didnt see anything marked with red in the above? (Atleast when I was reading)
    I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
    But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
    There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
    - Jouni

  • Problem with Port Forwarding - Password.

    Hello,
    I have a LINKSYS router, model BEFW11S4 v4 and its firmware is version 1.52.02
    My problem is that neither can I do Port Forwarding nor Port Triggering, because when I make the changes I need and press "Save Changes", it asks me for the username and password again. I write them again, but this time it does not accept them.
    I have tested it with 2 laptops connected to the router wired the first time and wireless other times.
    What should I do?
    Thank you in advance.

    Normally, you cannot "see your modem" in your network.  This is because a modem does not have an IP address.  A modem simply converts one signal (ADSL, DSL, or cable) into another signal which is an ethernet signal.
    However, some devices that people call "modems" are actually "modem-routers".  In this case your "modem-router" probably does have an IP address.  If your system is set up correctly, you can "see"  a "modem-router" that has an IP address, but it is not part of your LAN (local area network).  It is on a another subnet.
    The ethernet port of the modem should be wired to the "Internet" port on the BEFW11S4.  Do not connect the modem to any other port on the router.
    Maybe we need to back up a step or two here.  I have always assumed that you were able to get a properly working wired Internet connection through your BEFW11S4.  Is that correct?
    What is the make and model of your modem?
    Who is your ISP?
    Also, when you set up your router, leave the username blank.   Do not try to add a user name.   Change the password to something unique.  Do not use the password default "admin"   (with no quotes).
    Since you are still having problems, please use the following protocol to reset your router to factory defaults: 
    1)  Power down all computers, the router, and the modem, and unplug them from the wall.
    2)  Disconnect all wires from the router.
    3)  Power up the router and allow it to fully boot (1-2 minutes).
    4)  Press and hold the reset button for 30 seconds, then release it, then let the router reset and reboot (2-3 minutes).
    5)  Power down the router.
    6)  Connect one computer by wire to port 1 on the router (NOT to the internet port).
    7)  Power up the router and allow it to fully boot (1-2 minutes).
    8)  Power up the computer (if the computer has a wireless card, make sure it is off).
    9)  Try to ping the router.  To do this, click the "Start" button > All Programs > Accessories > Command Prompt.  A black DOS box will appear.  Enter the following:  "ping 192.168.1.1"  (no quotes), and hit the Enter key.  You will see 3 or 4 lines that start either with "Reply from ... " or "Request timed out."   If you see "Reply from ...", your computer has found your router.
    10)  Open your browser and point it to 192.168.1.1.  This will take you to your router's login page.  Leave the user name blank, and in the password field, enter "admin"  (with no quotes).   This will take you to your router setup page.  Note the version number of your firmware (usually listed near upper right corner of screen).  Exit your browser.
    If you get this far without problems, try the setup disk (or setup the router manually, if you prefer), and see if you can get your router setup and working.
    If you cannot get "Reply from ..." in step 9 above, your router is dead.
    If you get a reply in step 9, but cannot complete step 10, then either your router is dead or the firmware is corrupt.  In this case, use the Linksys tftp.exe program to try to reload your router with the latest firmware.  After reloading the firmware, repeat the above procedure starting with step 1.
    If you have problems, report back the results of steps 9 and 10.  Also, if you get any error messages, copy them exactly and report back.
    Message Edited by toomanydonuts on 04-14-200705:19 PM

  • How can I setup port forwarding for RDP (3389) using MHS291LVW?

    Hi,
    I went into my MHS291LVW and I enabled port forwarding.  I didn't see an option for Remote Desktop (RDP) so I added a custom application called RDP and I set "Global Port" and "Private Port" to port number 3389 and I set it as TCP/UDP and then entered the local IP (192.168.1.135) of the PC I want to connect to.  I made my local PC use a static IP so this 192.168.1.135 will never change.
    Then when I go under "About Jetpack" I see that there is a WAN IP address listed; so I wrote this down and then I tried to connect remotely to this PC from outside the Verizon Jetpack network but it didn't work.
    Then the strange thing is when I go to Google and type "what's my IP", Google shows me a different external WAN IP address that Verizon Jetpack showed me in the admin web interface.  Anyway, I tried this WAN IP address that Google gave me but it still didn't connect to my local PC.
    Can someone please help me in figuring out why this is not working?
    I've setup port forwarding on plenty of other routers (Linksys, Netgear, etc.), but I never tried it on a Verizon Jetpack MHS291LVW but it should work the same so I'm not sure why this is not working for me.
    Thank you!

    > If I can't use the "Microsoft Windows RDP" service because of the private IP; would I be able to use a software like "TeamViewer" to gain access to my PC?
    Yes.  This is how a VPN server works around the private IP address restrictions of the VZW network.  It will work and you will be able to access anything that is centrally connected to a VPN server. 
    > Also, if I were to take the VPN option and setup a VPN server on the PC
    Not on the remote PC silly guy.  Hosting a VPN from within the VZW network wont do you any good as its IP will be masked by the NAT firewall.  You must setup a VPN server off of the VZW network for it to work.  That way when you remote into the VPN server it is already outside of the VZW NAT that is restricting you in the first place.  There are many VPN vendors that you can test out and pay access for if you don't have any interest in setting up one on your own.  Some are free where others charge more money for more bandwidth and customization features.
    > If I were to try to connect to this PC on the JetPack side from an external PC on a different network I don't know how I would be able to access it since the JetPack IP address is private.
    The idea is that everything rests on the VPN server when remote connections are made.  The Jetpack PC, VPN Server and your current local PC all connect to the VPN server so everything is then local communication.  The VPN will make it appear as though everything is virtually connected to the same appliance even though they are physically separated by whatever distance you want.

  • Wrt400n has problems with port forwarding

    I have forwarded port 80 on my router and used a port forwarding tool to check to see if the port is open.  I select both and it tells me the UDP is open, but not the TCP.  Any idea why??  Thanks so much.  I have also used the same tool to check ports 3074, 88 and 53.  These ports are required for Xbox Live and I'm having an issue connecting.  it connect to the internet fine, but it appears this port may be the problem.  Please advise.

    Who is your ISP..?
    Port no 80 is by default on the router.You do not have to open the port 80.For x-box open the port 53 and 3074.Also,under the Administration tab,disable the UPnP and Uncheck Filter Filter Anonymous Internet Requests under Security tab...Reduce the MTU value to 1365 under the setup tab.It should work now..Make sure while doing the port forwarding,you are providing the correct ip address on the router as well on the X-Box.
    However,if your ISP is DSL then,convert the modem into the bridge mode to make your x-box working. 

  • New Customer Experience with Port Forwarding

    OK, so my OpenReach Modem and HomeHub 3 were installed last week and all seemed OK at first.
    A bit of background:
    I'm a seasoned IT guy and have a nice network set up at home that caters for my needs (most of the time).
    Without going into too much detail, I have my own DHCP/DNS server and I run a Webserver for personal use.
    I have Virgin Broadband - which work most of the time.
    I've also just had BT Infinity installed so I should always have Internet access no matter which ISP is having issues.
    I was hoping to be able to access my webserver externally from either my BT or Virgin. I didn't think this would be an issue.
    It still all works fine through my Virgin connection. I use dynamic DNS (no-ip.org)  to get to my server. 
    On the Virgin Superhub - I have DHCP switched off and all my machines (except one at the moment) get the Virgin router assigned as the Internet gateway (via my own DHCP server).  
    My test machine gets a the BT HomeHub 3 assigned as the Internet gateway (also from my own DHCP server) and I have switched off DHCP on Home Hub.  
    Before I move onto my issue, I have to say that the above network setup works flawlessly. 
    The Virgin Router is on 192.168.0.1, The Home Hub is on 192.168.0.2.  (subnet 255.255.255.0)
    They are on the same network but because DHCP it switched off on both routers - everything is happy.
    I can access my Server from the Internet via my no-ip.org address and it all works great.
    The issue:
    I thought it would be relatively simple to configure the BT Home Hub 3 to access my server from the Internet.
    Hmmm. Port Forwarding seems to be the issue. It just doesn't work reliably enough. Sometimes it works, then sometime it stops working. Right now it's not working.
    At first I though it was just me, not configuring it correctly. But no.
    Then I started reading this forum and found there are reports of issues with port forwarding going back a year.
    I don't know if that a good or bad thing - an issue running that long must be on the verge of getting fixed right?
    Or any issue running that long without resolution probably has no simple resolution or just isn't a priority (for BT) maybe.
    My Question:
    (and I think I already know the answer)
    Has anyone got a sure fire way of configuring the HomeHub3 so the port forwarding works? 
    Or should I just throw in the towel now and buy a Dual Wan Router? 
    One last note:
    This morning my Infinity Broadband Speed dropped from
    38Mb down/6Mb Up (measured several times yesterday)
    to
    0.7Mb down/0.3Mb Up (yes those decimal points are in the right place)
    And I haven't got a clue why.
    I power cycled the HomeHub and it returned to normal. Does this happen to other people?
    Cheers
    Graeme.
    Graeme

    Bullitt wrote:
    the port on your network is defined by lan ip address and port number eg 192.168.1.10:80
    you cannot forward this outbound port twice
    There is no "port on my network" A port is associated with a IP address not a network.
    My webserver listens an port 80 - requests from the Internet for http are port forwarded by the router (either BT Homehub or Virgin Superhub) to port 80 at address 192.168.0.5 (in my case). 
    If I am trying to access my webserver from the Internet, I point my browser at the WAN IP address of my router (again it doesn't matter which one - BT or Virgin) and the router port forwards the request to my Webserver.  Each router can do this independently. 
    "you cannot forward this outbound port twice"
    As explained above - It's an inbound port not an outbound port.
    I appreciate you are trying to be helpful but just telling me something is not possible without explaining why its not possible doesn't really help me.
    As I said before, this was working fine, then it stopped working but only when trying to access my webserver via the BT Router. It still works fine from my Virgin Router. I used WireShark and port mirroring on my switch to prove that the Home Hub as stopped port forwarding inbound traffic to my webserver. 
    This is a problem with port forwarding on the Homehub, not my network setup. Looking at other posts on this forum - I'd suggest I'm not the only one having problems.
    To be honest, it's the least of my problems with the HomeHub right now. I'm far more concerned with the fact that twice today I've had to power cycle it because the throughput has dropped from 38Mbit-down/6Mbit-up to <1Mbit-down/<1Mbit-up. It's a known problem, BT are working on it, yet I still am paying full price for a product that should never had made it out of Beta test.
    Graeme

  • Problem with call forwarding. Calls can not be forwarded for incoming external calls

    Hi Everybody, how are you?
    I have a problem with call forwarding. Everything was fine but now is not working.
    In the reception of an office, the receptionist activate the call forward option to an internal extension. If somebody, internal in the office, call to the reception, the call is forwarding to the extension configured. But if I call from the outside (in example, from my cellphone) the call is not forwarded to the extension configured and continue ringing in the reception phone. Why this behavior? Any idea?
    If you know something please tell me.
    Thanks. Best regards.
    Andres Collazos.

    I encounter a similar problem with 9.1.1.
    My problem is link to this bug ID : CSCtq10477.
    Mathieu

  • Port forwarding for clientless SSL VPN access

    Hello,
    I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.
    However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.
    But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.
    Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?
    If this doesn't make sense, please let me know and I'll do my best to explain it better.

    Hi Caleb,
    if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.
    CLI:
    ciscoasa(config) webvpn
    ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23
    ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23
    then you apply the port-forwarder list under a group-policy
    Hope this helps
    Mashal
    Mashal Alshboul

  • How do you set up Port Forwarding for ARD 2.2 in AEB N?

    Help,
    I'm a novice at Apple Remote Desktop (ARD) - not an IT guy, so it has to be pretty basic and detailed.
    How do you set up Port Forwarding for ARD 2.2 on the Apple Airport Extreme BS router, 802.11 N. I have one at each end of the internet connection. At one end I have an Airport Extreme N router with 2 macs and eventually 1 windows XP machine (if I can) that I would like to be able to connect to over the interenet (the clients) and at the other end, I have a Mac with ARD 2.2 installed also with an Airport Extreme N router. Note: Both routers use Static IP addresses and all computers use static IP's internally not through DHCP. What are the settings or directions to do this.
    I have read and printed out the directions for Configuration of ARD 3.0 that are posted many times in the ARD discusion group, but it uses a Linksys router ( http://www.starkpr.com/ard.htm posted by Dave Sawyer). The Mac router is different, particularly with the place to set a Private IP address. I'm not sure about alot of things, but especially about the Private IP address, what number do I set it to, the one that is in my Network connections list? It automatically changes to a different number in AE N setup for Port Forwarding (by one) as if it is not suppose to the same?????
    Are there any directions available that are as straight forward for the Airport Extreme N router, as the one's that are listed here for the Linksys Router's? ( http://www.starkpr.com/ard.htm )
    Any and All help will be greatly appreciated.
    P.S. I know I should have 3.0 but bought 2.2 just weeks before 3.0 came out and they would not give me an upgrade price, so I'm waiting for 4.0 to upgrade.
    Thanks,
    Jim

    Try the following for each AirPort Extreme ...
    AEBSn - Port Mapping Setup
    To setup port mapping on an 802.11n AirPort Extreme Base Station (AEBSn), either connect to the AEBSn's wireless network or temporarily connect directly, using an Ethernet cable, to one of the LAN port of the AEBSn, and then use the AirPort Utility, in Manual Setup, to make these settings:
    1. Reserve a DHCP-provided IP address for the host device.
    Internet > DHCP tab
    o On the DHCP tab, click the "+" (Add) button to enter DHCP Reservations.
    o Description: <enter the desired description of the host device>
    o Reserve address by: MAC Address
    o Click Continue.
    o MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>
    o IPv4 Address: <enter the desired IP address>
    o Click Done.
    2. Setup Port Mapping on the AEBSn.
    Advanced > Port Mapping tab
    o Click the "+" (Add) button
    o Service: <choose the appropriate service from the Service pop-up menu>
    o Public UDP Port(s): 3283
    o Public TCP Port(s): 3283
    o Private IP Address: <enter the IP address of the host server>
    o Private UDP Port(s): 3283
    o Private TCP Port(s): 3283
    o Click "Continue"
    o Click the "+" (Add) button
    o Service: <choose the appropriate service from the Service pop-up menu>
    o Public UDP Port(s):
    o Public TCP Port(s): 5900
    o Private IP Address: <enter the IP address of the host server>
    o Private UDP Port(s):
    o Private TCP Port(s): 5900
    o Click "Continue"
    o Click the "+" (Add) button
    o Service: <choose the appropriate service from the Service pop-up menu>
    o Public UDP Port(s):
    o Public TCP Port(s): 5988
    o Private IP Address: <enter the IP address of the host server>
    o Private UDP Port(s):
    o Private TCP Port(s): 5988
    o Click "Continue"
    (ref: "Well Known" TCP and UDP ports used by Apple software products)

  • Port forwarding for Warcraft 3 - no other posts have helped me solve this :

    Hi everyone,
    At risk of flogging a dead horse, I am having trouble with port forwarding/port mapping on my new AEBS and need help.
    Warcraft 3 requires ports 6112-6119 open, which I had successfully set up through the Router Management Interface of my router (Speedstream 536 v6). Since I've set up the airport and run the router through it, I've been unable to host/join games on Warcraft, due to ports not being open.
    I've since gone back in to the router setup and attempted to configure it. I've tried sending the open port traffic to the base station, to the computer, and a combination of each, but nothing seems to fix it.
    Aside from port forwarding, it is working fine. My internet connection is flawless (a little slower than before airport ... or perhaps my imagination?), my Wii and XBOX360 both find the network fine (360 hard wired over ethernet due to wireless security issues ... see other threads!), but I can't play my warcraft games.
    The help system (and some of the other threads on here) direct me to the Airport Utility -> Advanced -> Port Mapping. The problem is that on my advanced pane I only see:
    - Logging and SNMP
    - Bonjour
    - IPv6
    I've tried restarting the AEBS but get no joy. Is there something I'm doing that is fundamentally wrong? Can anyone help me? I'm not sharing the connection with any other computers, just wii and xbox, if that makes any difference.
    If there's anything else you'd need to know, please ask me.
    I look forward to your responses, and any help is most appreciated.
    Regards,
    GH

    The IP address of my iMac is 10.0.0.1; the address of the Speedtouch is 10.0.0.138; the AEBS is 10.0.0.2, and the xbox360 (which the speedtouch sees as "Generic device") is 10.0.0.4.
    On the speedtouch setup page, there's a lot of long-winded gibberish which I don't really understand, but perhaps it'll be of some use to someone more knowledgable on the topic. Each device has the following information:
    iMac (which it lists as Unknown-00-11-24-bb-ef-96):
    Information
    Status: Active
    Type: Generic Device
    Connected To: ethport1 (Ethernet)
    Addressing
    Physical Address: 00:11:24:bb:ef:96
    IP Address Assignment: DHCP
    IP Address: 10.0.0.1
    Always use the same address: No
    DHCP Lease Time: 0 days, 16:34:40
    Connection Sharing
    Game or Service
    War3
    Warcraft III
    (This is what I had named the settings which opened ports 6112-6119 on TCP and UDP respectively. As stated, it worked fine before the airport came along, and I've since tried removing and reinstating with no success).
    Airport-Extreme
    Information
    Status: Active
    Type: Generic Device
    Connected To: ethport1 (Ethernet)
    Addressing
    Physical Address: 00:16:cb:c2:c3:2c
    IP Address Assignment: DHCP
    IP Address: 10.0.0.2
    Always use the same address: No
    DHCP Lease Time: 0 days, 16:38:05
    Connection Sharing
    There is no game or service assigned to this device.
    Xbox360
    Unknown-00-17-ab-4f-fa-a6
    Information
    Status: Active
    Type: Generic Device
    Connected To: ethport1 (Ethernet)
    Addressing
    Physical Address: 00:17:ab:4f:fa:a6
    IP Address Assignment: DHCP
    IP Address: 10.0.0.4
    Always use the same address: No
    DHCP Lease Time: 0 days, 16:31:45
    Connection Sharing
    There is no game or service assigned to this device.
    Does any of this help at all?

  • Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2

    I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well.  Port forward configurations performed on the Actiontec are working well. 
    I installed an L2TP/IPSec VPN server, tested internally and it connected successfully.  So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
    I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
    Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
    With the port forwarding in place, I tested VPN externally but it didn't connect.
    I've done the following so far to no avail:
    Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
    There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
    There was an L2TP port triggering rule enabled, that I toggled on and off with no change
    Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
    Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router.  But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this.  For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
    My router details:
    Verizon Actiontec
    MI424WR-GEN2
    Revision E
    Firmware 20.21.0.2
    Verizon Actiontec built-in L2TP/IPSec rule templates.  They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
    Solved!
    Go to Solution.

    normally a vpn on that router, will have a GRE tunneling protocol as well.
    two ways to build the PF rules,
    Manually
    Preconfigured
    I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.

Maybe you are looking for